\documentclass[]{article}
\usepackage{enumerate}
\usepackage{amsmath}
\usepackage{graphicx}

\begin{document}

\title{Cryptanalysis \&...}
\author{Chin-Chen Chang, Hao-Chuan Tsai, Hai-Duong Le}
\maketitle

\begin{abstract}
%\boldmath
The abstract goes here.
\end{abstract}

\section{Introduction}

\section{Wang et al's scheme}

In Wang et al's scheme, they proposed a seven-phase authenticated key agreement protocol. The first six phases are used to facilitate authentication and key agreement as well as password changing, revocation of smart card and user eviction. The scheme introduces the seventh phase, namely user anonymity phase, to provides privacy of client's identity and location. In this section, we review Wang et al's scheme in brief.

\subsection{Registration phase}
\begin{itemize}
\item In this phase, each user submits his identity $id_i$ to server
\item The server verifies the user's identity and computes $B_i = h(x\|id_i\|cid_i) \times G$. $id_i, B_i,G,E_p$ are written into the smart card which is issued to user over a secure channel. User identity $id_i$ and card identity $cid_i$ are kept in server's ID table.
\item Upon receiving the smart card, user activates the card and sets a password $pw_i$ for it using a card reader. The smart card computes and stores $B' = B \oplus h(pw_i)$ into its memory in place of $B$.
\end{itemize}

\subsection{Precomputation phase}
In this phase, the smart card computes $T_1 = R \times G$ as a point over $E_p$, where $R$ is a random number. $T_1$ is stored in smart card memory for later use in authenticated key agreement.

\subsection{Authentication and key agreement phase}
In order to authenticate with the server, user inserts his smart card into card reader and keys in his password. Then, the user's system communicates with the server to established authentication and key agreement as follows.
\begin{itemize}
\item First, the smart card computes $B_i = B_i' \oplus h(pw_i)$ and $T_2 = h(R \times B_i)$. Then, it sends login request which is comprised of ($id_i$, $T_1$, $T_2$) to the server.
\item When the server receives ($id_i$, $T_1$, $T_2$), it checks user's identity against the ID table. The server then performs computation of $h(x\|id_i\|cid_i)$ and $T_2' = T_1 \times h(x\|id_i\|cid_i)$. If $T_2' = T_2$ holds, the server chooses a random number $W$ in $Z_n^*$; it computes $K = h(W \times T_1)$, $V_1 = h(T_2'\|K)$ and $T_3 = W \times G$. The server sends ($T_3$, $V_1$) to user's smart card.
\item Receiving ($T_3$, $V_1$), the smart card computes $K' = h(R \times T_3)$ and $V_1' = h(T_2\|K')$. If $V_1'$ is equal to $V_1$, smart card sends $V_2 = h(R \times B_i\|K'+1)$ to server.
\item The server authenticates the user's identity if $h(T_2'\|K + 1)$ is equal to $V_2$. Finally, the server and user share a session key $K = K'$.
\end{itemize}

\subsection{Password changing phase}
A user can change his password by simply insert his smart card  into card reader, and then entering his current and new password. Card reader replaces $B'$ with new value $B'' = B' \oplus h(pw_i) \oplus h(new_pw_i)$.

\subsection{Revoking smart card phase}
In the case a user lost his smart card, he can revoke his lost card and request for a replacement. The procedure of issuing new smart card for a user is similar to procedure in registration phase, server computes a new value of $B_i$, writes($id_i$, $B_i$, $G$, $E_p$) into the new smart card and updates the new card identity ${cid_i}_new$ in the ID table. Upon receiving new smart card, the user activates the new card and set his password which is used to compute new value $B_i' = B_i \oplus h(pw_i)$.

\subsection{User eviction phase}
The server can evict a user by removing the user's identity from the ID table. If the user tries to login using his smart card and password, he will fail to login since his identity is no longer in ID table.

\subsection{User anonymity phase}
In this section, rather than storing user's identity in a smart card, the server replaces identity of user $id_i$ by  an indicator $IND_i$.

\section{Cryptanalysis of Wang et al's scheme}
In this section, we show that Wang et al's scheme is susceptible to man-in-the-middle attack. This attack is possible with the assumption that an attacker has ability to intercept network traffic originated from a user. The attacker can forge to be server and deceive a user into forming a communication with attacker rather than with legitimate server. 

Suppose that a legitimate user sends his login request to server; a login request message consists of ($id_i$, $T_1$, $T_2$). Attacker intercepts the user's request message sending to server but does not forward the message to the genuine server. In order to impersonates the server, the attacker chooses a  random number $W$ and computes $K=h(W \times T_1$, $T_3 = W \times G$ and $V_1=h(T_2\|K)$ using $T_1$, $T_2$ which are sent in the request message. A forged reply message comprised of ($K$, $T_3$, $V_1$) is sent back to the user. 

When the user's smart card receives the forged reply message of ($K$, $T_3$, $V_1$), it computes $K'=R \oplus T_3$ and verifies whether $V_1$ is equal to $h(T_2\|K')$. It is obvious that the smart card perceive attacker as legitimate server, since $K$, $T_3$ and $V_1$ are computed based on user's $T_1$ and $T_2$. The smart card computes $V_2=h(T_2\|K'-1)$ and sends $V_2$ to server, which is masqueraded by the attacker now. After sending $V_2$, the smart card use $K'$, which is equal to $K$, to encrypt subsequent messages sending to server. Upon receiving $V_2$, attacker knows that he had successfully deceived the user to believe that he is the legitimate server. Starting from this point, the attacker can obtain user's confidential information which is supposedly destined at the server. 

Clearly, attacker does not require any secret from the server to compute $K$, $T_3$ and $V_1$; he can impersonate the server and cheat the user $U_i$. Therefore, Wang et al's scheme is unsuccessful in providing the mutual authentication service.

\section{The proposed scheme}
In this section, we provides 

\subsection{Registration}


\section{Conclusion}
The conclusion goes here.

\end{document}
